Thursday, November 16, 2006

In a comment on my post more about securing an office someone suggested using biometrics. The positive aspect of biometrics is that they can't be lost, no-one is accidentally going to leave a finger or an eye in their car while they go to a party while other authentication devices are regularly lost in such a manner.

The down-side is that having your finger or eye stolen would be a lot less pleasant than having a USB device, swipe-card, key, or other security device stolen. I think that it's good to have an option of surrendering your key when under threat (for the person who might be attacked at least).

Rumor has it that some biometric sensors look for signs of life (EG temperature and pulse), but I believe that these could be faked with a suitable amount of effort. A finger attached to a mini heart/lung machine should make it possible to pass the temperature and pulse checks (although I don't think that I have access to any data that is important enough to justify such effort on the part of an attacker).

One thing that biometrics could be useful for is screen-blankers. It would be good to be able to have a screen-blanker for your computer that operates when you go to get a coffee. For a period of 10 minutes after leaving a biometric method could be used to re-enable access. After that time a different method would ave to be used. This gives the convenience of biometrics for when you need it most (the many short trips away from your computer that you make during the day) but removes the benefit for an attacker who might consider removing part of your body. Also I am not convinced in the general security of biometrics. There are claims that you can make a finger based on a fingerprint which can fool a biometric sensor. If those claims are correct then a biometric sensor would still work for a coffee break (presumably you are not far away and will be back soon, and other people are in the area). The coffee break security is usually to prevent casual snooping such as colleagues who want to see what was on your screen but not actually do anything invasive to get it. Another benefit of biometrics for a screen saver is that although I trust people in the same office as me (whichever office that may be) not to try anything when they might get caught I still don't want them shoulder-surfing my password. Replacing the trivial authentication cases with a fingerprint reader would prevent that.

In the KDE 1.x days I had a shell script launched when the lid closed on my laptop which would lock the screen (the screen-saver ran in the background and a signal could make it lock the screen). This meant that I could merely close the lid of my laptop to lock the screen, this is fast and easy and also is not immediately recognised as locking the screen. Some people get offended if you lock your laptop screen when in their presence as they think that you should trust them enough to leave your most secret data open to them (generally people who aren't serious about computers - I'm sure that the same people would happily lock their diary if I was ever in the same room as it). Being able to lock the screen in a non-obvious way is a security benefit.

Regarding the comment about using a USB device to store passwords, there are two problems with this, one is that all passwords will be available all the time, this means a program that is permitted to access password A would also be given access to password B. The other is that the passwords can be accessed easily. The ideal solution is to have an encryption device that uses public key cryptography and stores the private keys on the device with no way of removing them. It would also permit the user to authorise each transaction.

I would like to see a USB device that stores multiple GPG keys and implements the GPG algorithm (with no way for anyone with less resources than the NSA to extract the keys). The device would have a display and a couple of buttons. When it is accessed it would display messages such as "signing attempt on key 1" and allow me to press a button to authorise or reject that operation.

This means that if I insert the key to sign an email I won't have a background trojan start issuing sign and decrypt commands. The only viable attack that would be permitted is the case where I want to sign a message and my message is sent to /dev/null and a message from an attacker is signed again. The non-arrival of my original message would hopefully alert me to this problem. I am not aware of any hardware which supports these functions.

Also I have just received a couple of RSA SecurID tokens as a sample. An RSA representative phoned me to ask about my use of the tokens, I said that I am an independent consultant and I have been having trouble getting my clients to accept my recommendations to use such devices and that I want to implement them on a test network so that I can give more detailed advice to my clients and hopefully get them to improve their security. For some reason the RSA rep found that funny, but I got my sample hardware so it's fine.

Johannes, no I haven't read that book. As it's free I'll have to check it out.

As for the binary-only daemon thing, SE Linux is good for confining that sort of thing. One thing I'm considering doing at the moment is writing a PAM proxy program, so if you have a binary-only PAM module you can have it run in a different domain to the program that is authenticating the user. I know that this will be a lot more difficult than it sounds, particularly as I have to exec a different process to get the SE Linux security context right.

Russel, Once again..great post! Biometrics are indeed quite easy to fake, however I think they are perfectly suitable for two-factor authentication scenario. They would be the "know" factor. As odd as that sounds considering it's not actually something you know. The other "have" portion would be the GPG smart card. I have read many articles beating up two-factor auth for good reason...passwords! I really like the ideas about screen locking. Now incorporate that into GPG card/USB/Whatever scenario and I think we would have a usable solution.

As for the Mythbusters tests, they only tried with optical readers. I expect that capacitance readers (as those on Thinkpads) would be considerably more difficult to break. I think it would take making a fake finger with two layers of the proper dieletric constants and thicknesses to match those in the finger.